Bug#1024186: linux: consider deprecating unprivileged_userns_clone
Package: linux
Version: 6.0.8-1
Severity: wishlist
In #898446 the decision was made to enable unprivileged_userns_clone by
default and this shipped in bullseye. In the course of discussion bwh
suggested:
So I think we should do something like this:
* Document user.max_user_namespaces in procps's shipped
/etc/sysctl.conf
* Set kernel.unprivileged_userns_clone to 1 by default, and deprecate
it (log a warning if it's changed)
* Document the change in bullseye release notes
The default did get changed, but the other things haven't been done yet.
FYI: I do not know the current state of the upstream patch but I do
still see it in
debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
Assuming Debian will not keep it, I propose:
* bookworm should warn users still setting it that's it deprecated
* bookworm should still properly disable it for users setting it to 0
* bookworm release notes should document it going away and the alternative
* bookworm procps should include an example in the default sysctl.conf
and ps(1) proc(5) manpages
* trixie should remove it and release notes document
* it might also be useful to document in the above which common cases
require that unpriv userns is enabled, maybe to avoid some footguns
How does that sound?
As a side note:
* desktop machines seem pretty dependent on unpriv userns by now so the
default should remain enabled
* there are still recent CVEs enabled by unpriv userns, disabling it on
systems that don't need it is still worthwhile
Thanks,
--
Matt Taggart
matt@lackof.org
Reply to: